The blog belongs to Harlan Carvey who writes some very well recommended forensics books. In other posts he also mentions open source tools such as The Sleuth Kit, Helix and Autopsy which would be useful for anyone not able to fork out for the Encase or FTK licensing.

"To help academia handle the increased demand for new training and courses, Guidance Software's EnCase Academic Program includes everything an educational institution needs to incorporate EnCase effectively into their curriculum. In addition to classroom software, participants in the program can add a license of EnCase Forensic software and self-paced Internet-based on-demand training. This training mirrors the in-class instruction taken by more than 5,000 professionals annually at Guidance Software training facilities. Upon completion of their school's forensic program, students can opt to become an EnCase Certified Examiner (EnCE), giving them a competitive advantage as they enter the workforce."

I'm very interested in computer forensics, I've used Backtrack, EnCase, Knoppix for a while and love them... I have a blog that I'm hoping to start posting more on... check it out, leave a comment if you wish (constructive criticism please!)

For anyone who uses EnCase and is interested in the EnCE certification, EnCase 7 will soon be released as a "Community Technology Preview." This will take the place of a beta release. The official EnCase 7 product release will be by CEIC 2011 in May. It is expected that the EnCE exam will be changed to EnCase 7 six month after, but this not final. Based on prior sales, it is expected that upwards of 80% of EnCase 6 owners will have upgraded to EnCase 7 by that time.

The bottom line is if you are an EnCase 6 user and have been thinking of getting your EnCE cert, you better consider doing it soon, or you'll need to learn EnCase 7 before getting it. If that appeals to you, the EnCase 7 Study Guide is due out in the next 2-4 weeks.

I bought Harlan Carvey's Windows Registry Forensics book, but I haven't thumbed through his Open Source tools one. His works are very well respected. In the computer forensics world, all you need do is say "Harlan" and everyone knows who you are talking about.

I bought Harlan Carvey's Windows Registry Forensics book, but I haven't thumbed through his Open Source tools one. His works are very well respected. In the computer forensics world, all you need do is say "Harlan" and everyone knows who you are talking about.

I grabbed that a bit ago as well. I haven't been able to touch it since CEH and CPT :P

Everyone I've talked to about that book says its the defacto for Windows forensics books right now.

I've been thinking more and more about network forensics, seems difficult and interesting though I don't see a whole lot on the subject. My guess I'd have to focus more on networking monitoring and apply it to network forensics.

Remember that "forensics" is about collecting, analyzing, and documenting evidence that may be used in a court of law. You would need to think about the kinds of evidence that is traveling around a network that needs collecting, analyzing, and documenting.

You would start with the topology of the network and the kinds of systems and services available on it. Next you would look at the network traffic and determine what kinds of useful data and meta-data you could derive from it (that is, what would a prosecuting or defense attorney ask to see).

Time-lines are usually very important in a case, so knowing "who was doing what when and where" is something that needs to be discovered too. Either you are collecting this information as part of your normal business operations (Operational Forensics) or you are sifting it out of log files and databases after the fact.

JD had two questions for you. What are your thoughts on the CHFI? Worth going for? Finally, what are your thoughts on getting a Masters in Digital Forensics as a way to get into the field?

I've have those same two questions myself. I'm not sure if I have my final answers, but...

When looking at the CF certs held by "real" CF people, I never see the CHFI; it's always EnCE, ACE, CCE, CCFE, CFCE, etc. Considering how expensive EC-Council cert have gotten, for myself I would probably only go after the CHFI if someone else paid for it and the training. However, the course material still looks good enough to learn from even if you don't take the exam.

Most CF people do not have a Masters degree, let alone one in CF/DF, so it's not necessary to go to that extreme to learn, or get a job in, CF. It's such a highly specialized Masters degree that I would really consider something more security-generic, such as MSIA or MSIT-IS. That way, if you decide to switch to a different security field, your Masters doesn't seem only relevant for CF.

I've been looking at the ACE cert, but it appears to require experience with Acess Data's FTK. The only certification I can think of that might have value while also being vendor neutral is the GCFA from GIAC. I spent a couple evenings thoroughly looking through ForensicFocus.com

I think most CF certs will be mostly vendor-neutral with some material about the most popular CF software packages (it's like trying to make a cert exam that doesn't mention Windows, Cisco, etc.). A few CF cert are highly vendor-specific and usually created by companies that make CF products. These are simply to provide a level of assurance that people have a minimal level of competency for using specific CF products.

The ACE is specifically for testing the candidate on the use of FTK for conducting a forensics investigation. The EnCE is the same but for using EnCase. I would not attempt either of those certs unless you have done actual casework using them. The Sybex EnCE Study Guide supposedly has all of the information needed to pass the EnCE written exam, but the experience of knowing how to apply that information is what you need to pass. And then, after you pass the written exam, there is the practical exam, where you actually use EnCase to perform a simulated examination and make a written report. During the exam should not be the first time you attempt to use the software.

So would something like the GIAC GCFA or EC-Council CHFI be a good beginning point? I'm starting to get more and more interested but I'm not sure how someone would get hired without any experience with EnCase, etc.

edit: I've read through much of ForensicFocus.com, but I would be curious to hear your thoughts or anyone else on TE that might have some experience with computer forensics.

You usually get into CF by being a member of a legal firm, law enforcement, or being a civilian working for law enforcement, or military law/police. CF requires you to know a lot about working with law enforcement and the court system, so they like people with that background. eDiscovery is a side-way to get into forensics, but they usually want people who already have experience.

I have asked around about internships and volunteer positions, but because of the current economic situation, programs like that have been scaled back or indefinitely suspended. Doing real CF for criminal/civil cases requires an extensive background check, which is rather expensive, and most agencies don't have the money for that right now.

In addition to looking for commercial forensics and eDiscovery jobs on dice, monster, etc., have a look at city, county, state, and federal job sites for forensics examiner and analyst positions. That will give you a good idea of what's being looked for. Here is a typical CF job at my local DA's office.

I just took the CSFA & it is a hard test. You receive a case and have less than 3-days to perform an analysis and write a report. Edmonds Community College in Lynnwood, WA has a 2-year program in information security, forensics is a huge part of it. The head of the department is Steve Hailey, a recognized expert in the field of forensics. After you finish the computer forensics classes you can take the AccessData certification, which I successfully completed for FTK/PRTK.

City University in Bellevue, WA has a program in reverse-engineering/malware analysis, I don't know as much about it.